Generalization of Attack Signatures

A problem faced by signature-based intrusion detection sensors is that as new attacks are created and as new kinds of benign traffic are observed, the signatures need to be updated. The current approach to this process is manual. Consequently, keeping them updated is a Herculean task that involves tedious work by many security experts at organizations that provide the NIDS software. Our goal in this work is to automatically generate signatures by performing data mining on attack samples. Further, we aim to create generalized signatures; "generalized" implies the signatures will be able to match some zero-day attacks as well, not just the attack samples that it has been trained on.